Official Press Release (Dublin, 16 May 2022): Mobile threat defense solution provider, Corrata, today announced the discovery of poor encryption practices on a number of major websites including Irish telecoms company Eir and German newspaper Bild. In line with its responsible disclosure practice, Corrata contacted the owners of the websites concerned and the weaknesses have now been remedied. However, it is likely that other websites contain similar vulnerabilities and Corrata urges website owners to make sure that their encryption is in line with industry best practice.
Today the vast majority of websites use encryption to ensure that sensitive data exchanges between users and the website remain confidential. This confidentiality depends on the use of an internet protocol known as Transport Layer Security (TLS). HTTPS is the implementation of TLS used when browsing websites. Its use is usually signalled by the appearance of the lock symbol at the top left-hand corner of the browser address bar.
However, not all website implementations of https are equally secure. Some websites use out-of-date versions of the protocol which are known to be vulnerable to hacking. This is particularly risky when using Wifi networks because the traffic passing between a mobile phone and a Wifi access point can easily be spied upon. Internet users rely on the fact that sensitive data is transmitted in encrypted form to combat such spying. However, where weak encryption is used it will fail to protect sensitive data such as passwords, financial information and other confidential data.
The specific weakness discovered by Corrata related to a misconfiguration of the sites’ web servers to favor an old insecure cipher called RC4 when accessed using iOS devices (iPhones and iPads). Vulnerabilities in this cipher make it vulnerable to hacking and website owners have been strongly advised not to use it for at least ten years. Devices with Corrata’s mobile threat defense solution installed automatically detect these flaws and prevent users’ data being stolen. It is these routine checks which brought the vulnerability to light.
Corrata are global leaders in mobile security for organisations of all sizes. Headquartered in Dublin, Ireland, they currently work with leading businesses across Europe and North America to provide complete protection against phishing, malware, man-in-the-middle attacks and data loss on smartphones and tablets without the complexity found in competing solutions. Corrata’s mobile endpoint security solution operates discreetly and locally on a user’s mobile phone or tablet, with no interruption of device performance and without compromising employee privacy or user experience.